2024-12-21 00:30:30 +00:00
|
|
|
# Nginx WAF rules for FIXATION
|
2025-01-16 13:49:54 +01:00
|
|
|
# Automatically generated from OWASP rules.
|
|
|
|
|
# Include this file in your server or location block.
|
2024-12-21 00:30:30 +00:00
|
|
|
|
2025-01-16 13:49:54 +01:00
|
|
|
map $request_uri $waf_block_fixation {
|
|
|
|
|
default 0;
|
2025-01-26 00:25:41 +00:00
|
|
|
"~*^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*@eq 0" 1;
|
2025-01-25 00:24:31 +00:00
|
|
|
"~*(?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" 1;
|
2025-01-24 00:25:21 +00:00
|
|
|
"~*!@endsWith %{request_headers.host}" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*^(?:ht|f)tps?://(.*?)/" 1;
|
2025-01-16 13:49:54 +01:00
|
|
|
}
|
2025-01-08 00:26:52 +00:00
|
|
|
|
2025-01-16 13:49:54 +01:00
|
|
|
if ($waf_block_fixation) {
|
|
|
|
|
return 403;
|
|
|
|
|
# Log the blocked request (optional)
|
|
|
|
|
# access_log /var/log/nginx/waf_blocked.log;
|
2024-12-21 00:30:30 +00:00
|
|
|
}
|
2025-01-16 13:49:54 +01:00
|
|
|
|
